Single Sign On in High Availibility
Hello Friends,
I am trying to setup SSO service in HA mode.
I did install SSO on 2 nodes SSO-A and SSO-B.
I am using a virtual appliance load balancer.
On load balancer, configured a virtual server with name as SSOHA.domain.com and assigned 2 IP addresses to it.
This virtual server has the 2 nodes added to it as a pool of servers..
I am trying to install Inventory service and when it asks for SSO server, I am providing it with virtual server FQDN i.e., https://ssoha.domain.com:7444/lookupservice/sdk
but this is not going through..
What confuse me is the SSL.
As each SSO server by default has a self signed SSL, and I rem from my previous single node (basic) installation of SSO that the Inventory service installation prompted me to accept the SSL cert of SSO server after providing the installation with the URL https://SSOsrv.domain.com:7444/lookupservice/sdk.
Now when I have these nodes behind the load balancer, the Inventory service is not able to make connection. (this is what think).
There are possibilities that I am going totally wrong.
Does SSO support hardware LB?
I tried to find something on google, not specific.
If it does support, what should be the generic configuration of LB..
do i have to import the SSL in LB?
cannot find vmware KB, except the one that shows config of a software LB.
I might have confused some of you guys, plz do ask to understand the scenario and help to find solution.
Thanks.
I am trying to setup SSO service in HA mode.
I did install SSO on 2 nodes SSO-A and SSO-B.
I am using a virtual appliance load balancer.
On load balancer, configured a virtual server with name as SSOHA.domain.com and assigned 2 IP addresses to it.
This virtual server has the 2 nodes added to it as a pool of servers..
I am trying to install Inventory service and when it asks for SSO server, I am providing it with virtual server FQDN i.e., https://ssoha.domain.com:7444/lookupservice/sdk
but this is not going through..
What confuse me is the SSL.
As each SSO server by default has a self signed SSL, and I rem from my previous single node (basic) installation of SSO that the Inventory service installation prompted me to accept the SSL cert of SSO server after providing the installation with the URL https://SSOsrv.domain.com:7444/lookupservice/sdk.
Now when I have these nodes behind the load balancer, the Inventory service is not able to make connection. (this is what think).
There are possibilities that I am going totally wrong.
Does SSO support hardware LB?
I tried to find something on google, not specific.
If it does support, what should be the generic configuration of LB..
do i have to import the SSL in LB?
cannot find vmware KB, except the one that shows config of a software LB.
I might have confused some of you guys, plz do ask to understand the scenario and help to find solution.
Thanks.
ASKER
I have gone through this page and up-gradate docs.
There is no specifics for configuring a HLB.
Can you tell me to which section in your posted article should I refer?
There is no specifics for configuring a HLB.
Can you tell me to which section in your posted article should I refer?
The thumbprint for the SSL cert will get saved by the inventory service; it can't be varying from time-to-time. That means you'll need to either export the cert from one of the two SSO hosts and import it on the other, or use a 3rd-party cert and import it into both appliances.
Second, your load balancer shouldn't have 2 IPs associated with the SSO FQDN; it should have ony 1. The nodes of the LB will each have a "private" IP, used for management, but the object they're balancing will have an independent IP.
Finally, support for LB and HA on SSO is a delicate piece with VMware. Essentially, they say it can be done, but if you have problems with it, they'll require you to show that the problem exists without the LB before they'll help fix something. It's classic 1.0 software support, and the community has been giving VMware negative feedback on this topic since SSO was released.
In summary, SSO is a Web service. If standard practices are observed for creating the HA environment of a web server, then it is believed that it should work.
Second, your load balancer shouldn't have 2 IPs associated with the SSO FQDN; it should have ony 1. The nodes of the LB will each have a "private" IP, used for management, but the object they're balancing will have an independent IP.
Finally, support for LB and HA on SSO is a delicate piece with VMware. Essentially, they say it can be done, but if you have problems with it, they'll require you to show that the problem exists without the LB before they'll help fix something. It's classic 1.0 software support, and the community has been giving VMware negative feedback on this topic since SSO was released.
In summary, SSO is a Web service. If standard practices are observed for creating the HA environment of a web server, then it is believed that it should work.
ASKER
Thanks for your input..
I found an article on vmware KB which is exactly what has to be done to setup SSO HA.
It does not explain why to do and in which scenario, but gives a good info over it.
I am trying to work on it.
The key points in article is forwarding the service URLs which are in-bound request to Virtual Server on NLB to nodes in back-end. i.e., SSO-A and SSO-B.
Stingray Traffic manager is a bit tricky to configure.. and trying to figure out how to get it done.
As far as SSL part, you are correct when it comes to installing a single SSO node (basic install)
In HA scenario, SSO-A is installed and configured, SSO-B will take SSL thumbprint from SSO-A. then inventory service will.
There are many more confusions coming in, for what am trying to sort 1 by 1.
I would like to keep this question open if someone can give some more valuable inputs.
I found an article on vmware KB which is exactly what has to be done to setup SSO HA.
It does not explain why to do and in which scenario, but gives a good info over it.
I am trying to work on it.
The key points in article is forwarding the service URLs which are in-bound request to Virtual Server on NLB to nodes in back-end. i.e., SSO-A and SSO-B.
Stingray Traffic manager is a bit tricky to configure.. and trying to figure out how to get it done.
As far as SSL part, you are correct when it comes to installing a single SSO node (basic install)
In HA scenario, SSO-A is installed and configured, SSO-B will take SSL thumbprint from SSO-A. then inventory service will.
There are many more confusions coming in, for what am trying to sort 1 by 1.
I would like to keep this question open if someone can give some more valuable inputs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The configuration on LB has to be precised to make other vCenter 5.1 roles communication with SSO nodes behind load balancer.
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-200B9E03-D46B-44A9-9B0E-4863D067CFFF.html
it may be specific to v5.1